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CLAIMS 

What is claimed is: 

1 . A method for mirroring of select network traffic, the method comprising: 
receiving a data packet by a network device; 
5 determining whether a designated aspect of the packet matches a flagged 

entry in a look-up table on the network device; and 
sending a copy of the packet to an associated mirror destination if a 
match is found. 

10 2. The method of claim 1 , wherein the LUT comprises a media access 
(MAC) address table. 

3. The method of claim 2, wherein the designated aspect used for matching 
comprises a source MAC address. 

15 

4. The method of claim 2, wherein the designated aspect used for matching 
comprises a destination MAC address of the packet. 

5. The method of claim 2, wherein the designated aspect used for matching 
20 comprises both a source MAC address and a destination MAC address of 

the packet, and wherein the match is found if either matches. 

6. The method of claim 2, wherein the designated aspect used for matching 
comprises both a source MAC address and a destination MAC address of 

25 the packet, and wherein the match is found if both matches. 

7. The method of claim 1 , wherein the LUT comprises an Internet protocol 
(IP) address table. 

30 8. The method of claim 7, wherein the designated aspect used for matching 
comprises a source IP address. 
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9. The method of claim 7, wherein the designated aspect used for matching 
comprises a destination IP address of the packet. 

10. The method of claim 7, wherein the designated aspect used for matching 
5 comprises both a source IP address and a destination IP address of the 

packet, and wherein the match is found if either matches. 

1 1 . The method of claim 7, wherein the designated aspect used for matching 
comprises both a source IP address and a destination IP address of the 

10 packet, and wherein the match is found if both matches. 

12. The method of claim 1 , wherein the LUT comprises a subnet table. 

13. The method of claim 12, wherein the designated aspect used for matching 
15 comprises a destination IP address, and wherein a match is found if the 

destination address is within a flagged subnet in the subnet table. 

14. The method of claim 12, wherein the designated aspect used for matching 
comprises a source IP address, and wherein a match is found if the 

20 source address is within a flagged subnet in the subnet table. 

15. The method of claim 12, wherein the designated aspect used for matching 
comprises both a source IP address and a destination IP address, and 
wherein a match is found if either of the addresses are within a flagged 

25 subnet in the subnet table. 

16. The method of claim 12, wherein the designated aspect used for matching 
comprises both a source IP address and a destination IP address, and 
wherein a match is found if both of the addresses are within a flagged 

30 subnet in the subnet table. 

17. The method of claim 1, wherein the LUT comprises an access control list 
(ACL). 
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18. The method of claim 17, wherein the designated aspect comprises a filter 
element. 

5 19. The method of claim 1 , wherein the determination of a match is 
accomplished by way of a linear search. 

20. The method of claim 1 , wherein the determination of a match is 
accomplished by using a hash table. 

10 

21 . The method of claim 1 , wherein the determination of a match is 
accomplished utilizing a b-tree searching algorithm. 

22. The method of claim 1 , wherein the look-up table is stored in content 
15 addressable memory. 

23. The method of claim 1 , wherein the determination of a match is 
accomplished using a search process that stops when a first match to the 
designated aspect is found, irregardless of whether the entry found is 

20 flagged for mirroring. 

24. A networking apparatus, the apparatus comprising: 

an operating system including routines utilized to control the apparatus; 
a look-up table including selection information for mirror sources therein; 
25 and 

a mirroring engine for forwarding copies of selected packets to at least 
one corresponding mirror destination. 

25. The apparatus of claim 24, wherein a packet is mirrored if a designated 
30 aspect of the packet matches a flagged entry in the look-up table. 

26. The apparatus of claim 24, wherein multiple mirror sources correspond to 
the mirror destination(s). 
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27. The apparatus of claim 24, wherein the apparatus supports multiple mirror 
sessions, wherein each mirror session comprises at least one mirror 
source and at least one corresponding mirror destination, 

5 

28. The apparatus of claim 24, wherein the look-up table comprises a MAC 
address table. 

29. The apparatus of claim 24, wherein the look-up table comprises an IP 
10 address table. 



30. The apparatus of claim 24, wherein the look-up table comprises a subnet 
table. 

15 31 . The apparatus of claim 24, wherein the look-up table comprises an 
access control list. 

32. A method of selecting packets to mirror from network traffic, the method 
comprising: 

20 receiving a data packet by a network device; 

determining whether characteristics of the packet matches static mirroring 

criteria from a look-up table on the network device; 
checking state information relating to the network traffic against dynamic 
mirroring criteria; and 
25 sending a copy of the packet to an associated mirror destination if the 

characteristics of the packet matches the static mirroring criteria 
and if the state information matches the dynamic mirroring criteria. 

33. The method of claim 32, wherein the state information comprises a 
30 number of packets so far matching the static mirroring criteria, and 

wherein at least one counter is used to maintain the state information. 
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34. The method of claim 32, wherein the state information comprises a time 
between mirrored packets. 

35. The method of claim 32, wherein the state information comprises whether 
a valid TCP connection has been formed. 

36. The method of claim 32, wherein the state information comprises whether 
an allocated bandwidth has been used up. 
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